[SecurityRatty] tag: portland

Portland's Network Gets Shut Off Date

Thu, 19 Jun 2008 08:14:16 +0000

It was a matter of time, but the death knell date has been set for Portland, Ore.'s Wi-Fi network: MetroFi told the city that it will turn its network off on June 30, and remove all devices by about July 30. MetroFi's business model required most of its revenue to come from advertising shown to users of the network; they also offered ad-free service, and business services. The network never reached a scale in Portland with enough reach to hit a critical mass.

As with most Wi-Fi networks built or planned in 2005 and 2006, indoor coverage required wireless boosters, and the necessity of those signal bridges wasn't clear to early users. That led to early adopters rejecting MetroFi's and others' services, which didn't help spread use.

Eleventh Hour Rescue for Phila. Network?

Tue, 17 Jun 2008 01:39:29 +0000

Local investors poised to assume control of Philadelphia Wi-Fi network: The Philadelphia Inquirer says two local businessmen will form a new company to create a for-profit service that will have a combination of fees and advertising support. One of the two was briefly the head of the non-profit Wireless Philadelphia that technically is responsible for the network; the other, a former Verizon executive. Their announcement is expected later today.

Can they succeed where EarthLink (and others) failed? Possibly. If they get the same deal that EarthLink previously offered, they're getting a lot of equipment for free and a quantifiable set of problems. I had written earlier it wasn't a good deal for Phila. to accept the network, but a private operator that's locally based and is trying to do good and get a return on its investment may be able to raise money and set more modest goals. Starting from scratch is a non-starter for any firm at this point.

What they desperately need to do if they acquire the network is immediately bulk out several critical square miles, convince the city to buy some service right away (point-to-point dedicated connections to replace wirelines comes to mind, but will an ex-Verizoner be able to convert municipal revenue that's going to his old employer without qualms?), and show that the network can work.

The advertising part is interesting. MetroFi has shown that their particular flavor of ad-supported Wi-Fi doesn't work. But their goal wasn't crossing a digital divide, and the Portland, Ore., network was never given high marks by local users as to its robustness and reach.

Wee-Fi: Detroit Update, Home Network-Fi, Piggyback-Fi, PHL Free-Fi

Mon, 16 Jun 2008 07:21:48 +0000

The Detroit Free Press rounds up free and fee Wi-Fi efforts around it: The city and its suburban and exurban surroundings could use more broadband, but Wi-Fi has arrived only slowly as an option. It hasn't disappeared outright, and it's made inroads in some places. The project to unwire Oakland County is on hold as even though the county and cities secured pole rights for a firm to build service, that firm is still searching for capital. A county-wide network might be a better model, but the density is always the issue: mounting locations and assets coupled with homes passed and their median income.

GigaOm's Michael Wolf rounds up what other forms of networks are needed in a home beyond Wi-Fi: Ethernet, HomePlug, MoCA, HomePNA, Wireless HD, personal networks (Bluetooth), and automation controls. (My home is a very stupid home, thank you very much.)

He who steals my Wi-Fi steals hash: Mike Rogoway at the (Portland) Oregonian poses the question as to whether using a neighbor's unsecured Wi-Fi is borrowing, stealing, or nothing at all. I pipe in noting that more people are securing their networks. In my current office, where I've been three years, I spotted over a dozen networks when I arrived, most unsecured. Today, all the networks are secured (only some are small business networks), and many of the names have changed. The reasons? Better security wizards, widespread use of WPA, improved Wi-Fi network setup in Windows Vista and XP SP2, start of use of WPS, and general fear of security issues. Rogoway also runs through what the options for connectivity in Portland are as MetroFi is about to hit its network shutdown date.

Philadelphia's mixed free airport Wi-Fi: I somehow missed this story months ago, but PHL (Philadelphia's airport) is offering free Wi-Fi on the weekends to every one, and free Wi-Fi on the weekdays to college students. Students go to an information counter, show their valid student ID, and get an access code. This is a very neat idea. The airport is otherwise $8 for 24 hours or $40 per month, although it's part of much cheaper roaming plans from Boingo Wireless and iPass.

Metro Round-Up: Phila., Minneapolis, St. Louis Park (Minn.), Texas, Foster City (Calif.), Naperville (Ill.), Chehalis and Centralia (Wash.), Cambria C

Wed, 11 Jun 2008 10:33:41 +0000

Philadelphia may find operator for Wi-Fi network: The AP reports that the City of Brotherly Love's Wi-Fi network isn't yet down, or down for the count. While it's scheduled to be flipped off tomorrow (you can read whatever you like into the phrase "flipped off"), the city is talking to a party it won't disclose about the networks future. EarthLink sued Phila. in May to be able to remove its equipment and cap its liabilities. The city's wireless non-profit arm, Wireless Philadelphia, has made noises about what EarthLink's true liability could be; the non-profit has born some of the electrical cost, and might be seeking to have that repaid on top of penalties and other expenses.

Minneapolis suffers the heartbreak of leafage: Leaves are popping in Minneapolis, and Star-Tribune columnist Steve Alexander writes that residents are seeing some Wi-Fi reception problems on that city's Wi-Fi network. This is the only big-city network that can be currently described "successful," even though its long-term success has to be proven out. The firm responsible, USI Wireless, told Alexander they're working on adjusting about 5 percent of antennas to cope with the pesky greenery.

St. Louis Park sues ARINC over Wi-Fi network: The Minnesota town says the network never worked, and had earlier discussed a lawsuit. The city wants the value of the contract ($1.7m) plus a very modest amount in damages and fees ($50,000). The city plans to start removing gear if ARINC doesn't sometime in June. But they have to deal with 490 poles erected to hold the nodes and solar-charging gear--sunk into concrete. More recent testing showed that the network worked well in some areas, but the majority of the network did not, according to the Star Tribune.

Verizon builds out fiber in AT&T territory: Interesting sign of competition in otherwise monopoly-per-provider-type world. Verizon is using AT&T's hard-won statewide video franchising rules in Texas to build competitive fiber in Dallas suburbs. They're apparently not bringing telecom; they're acting like a cable TV firm with data. Verizon owns chunks of territory all over due to it encompassing GTE in a deal years ago. GTE serves suburbs west of Portland, Ore., and east of Seattle, for instance, while Qwest serves most of the rest of each state.

Foster City Wi-Fi dies on June 20: MetroFi is unlighting its cities, and Foster City opted not to spend the nearly $200,000 asking price MetroFi put on its equipment. MetroFi might still find a buyer, but June 20 is the network's current final day. Naperville, Ill., also expects a June 20 shutdown. They, too, were offered the network hardware for 200 grand.

Chehalis lights up: A small city in southern Washington votes to put in Wi-Fi hotzones. The cost is about $53,000 and annual fees $15,000. Funds will come from existing tax and grant sources. The city chose to install service to make sure they're not missing a checkbox on the amenities list for visitors and businesses rather than for a particular, measurable goal.

Nearby Centralia pulls its Wi-Fi: A pilot project in the larger city of Centralia, Wash., a bit north of Chehalis, is shut down when poles used to mount Wi-Fi radios are removed as electrical wires are buried. (The reporter here confuses broadband over powerlines (BPL) with broadband wireless.) The system might be restarted later.

Craig Settles writes up Pennsylvania's Cambria County wireless success: This is a network built for particular municipal purposes, part of Settles's long-time drumbeat about having applications first and then networks built for those networks second. He notes that Cambria built a 700 sq mi network that sounds nearly cost neutral through efficiency and cost conservation--it's cheaper to get much more service with this network than it was for a smaller array of services with incumbent-provided networks.

Santa Fe residents oppose Wi-Fi in the library on health grounds: You know what I have to say about how provable this has turned out to be in clinical studies. I am, however, as always, concerned about these people's health, even if I don't believe that Wi-Fi (or EMF) causes their problems. The group opposed to library-Fi is citing the ADA in this case, uniquely I believe. Six libraries suggested that EMF triggers seizures in epileptics, something I've never heard cited before; maybe CRTs (flickering), but EMF? Wired is substantially less kind than I am, pointing out that EMF other than Wi-Fi produces vastly higher signal strength. (They're sort of ignoring signal strength at a given point where an individual stands in relation to a transmitter, however.)

Wee-Fi: Portland Coverage of MetroFi; Boston's Measured Pace

Mon, 19 May 2008 09:10:08 +0000

The (Portland) Oregonian writes about the impending shutdown of MetroFi's network there: As I reported last week, MetroFi plans to sell or shutdown the nine networks it operates on its own; I don't have a status on Riverside, Calif., where they act as an AT&T contractor. The Oregonian's Mike Rogoway notes that the city's expense includes a $250,000 feasibility study and the cost of a staffer who manages the project. Given the level of usage--the April numbers from MetroFi are 306,000 hours of use and 16,000 users--and despite the reported problems, that wasn't money wasted in light of citizen benefits. MetroFi wants about $900,000 to sells its nearly 600 SkyPilot nodes. I can't imagine the city or anyone paying for this, because that would tie the city not just to ongoing expense in operating a network that covers a small part of the city, but to SkyPilot. SkyPilot reported in April that they raised $3.4m for a lifetime total of $70m in financing, but they haven't talked about new customer wins, deployment status, or units shipped since early 2007 (with one small network exception). It's unlikely any of MetroFi's or EarthLink's cities will purchase the gear on poles because even at bargain-basement prices, the cities would be buying into the engineering assumptions and vendor decisions of firms that decided to exit the business due to a lack of return on investment. Hardly wise.

OpenAirBoston advisor editorializes that slow and steady is the way to figure out muni-Fi: An op-ed by Brian Worobey of the Museum of Science in Boston notes that the local non-profit's slow pace--accidental, he notes, as it intended to roll out faster--could produce more information and a better result than the many failed all-at-once attempts for deployment. My current line on this is that Wi-Fi's likely utility in a city is in site-specific, limited area networks designed to solve particular problems. Call it reverse redlining or bridging the digital divide or simply gapfilling, but Wi-Fi could be used effectively and relatively inexpensively as a tool to bring broadband where it is not. But that has to be coupled with goals and plans: what is the point of bringing broadband? Job opportunities? Education? Entertainment? Having these answers would help produce the right kind of network.

MetroFi Plans Market Exit: Sale or Shutter

Thu, 15 May 2008 17:47:12 +0000

MetroFi will sell its networks, but plans to shutter if there are no buyers: Ah, folks, the trifecta has arrived, and I'm nothing but sad about it. MetroFi's chief Chuck Haas emailed me this evening with the news that his firm has decided that they will sell their networks in nine cities, including their first cities in the Bay Area (Cupertino, Santa Clara, and Sunnyvale), and their largest muni deployment in Portland, Ore. If no buyers emerge--including the cities in question--Haas said that MetroFi would have a shutdown plan for gradually unlighting the networks.

MetroFi was one of the three most prominent pure play metro-scale Wi-Fi firms, if you count EarthLink's municipal wireless division as a separate operation, and Kite Networks, which was a subsidiary of a larger telecom firm. Each company had made a unique network hardware choice--MetroFi, SkyPilot; Kite, Strix; and EarthLink Tropos plus Motorola--and each had a sort of specialty. Interestingly, a fifth firm, BelAir powers Toronto (a small but super-fast Wi-Fi network) and Minneapolis (the only putatively completed large-city Wi-Fi network), and will be behind Cablevision's nearly $350m New York Wi-Fi plan.

MetroFi was the only major firm to back ad-supported no-fee access, coupled with paid, no-ads service, and higher tiered commercial offerings. They built mostly smaller cities, with Portland being their only real big city win. The firm began with the notion of building Wi-Fi out gradually as a way to provide broadband in communities that lacked service, with no municipal involvement. That plan required sparser networks and typically a home signal booster designed by SkyPilot. (Kite mostly focused on the Southwest; EarthLink on big cities.)

EarthLink was in many ways largely responsible for the mess that all Wi-Fi providers found themselves in last year by offering to build Philadelphia's network back in 2005 at no cost to the city--in fact, paying the city and the local utility fees. That set the stage for nearly all the RFPs that followed where, if EarthLink were a bidder or the city was aware of the alternatives, the notion was that no city dollars would be spent, even if taxpayer money wasn't "at risk"--that is, even if a city could save money by switching current line items in their telecom and data budget to a wireless network.

Haas noted via email that MetroFi has been working towards anchor commitments by cities for nearly two years, but the inertia of those early networks led municipalities to reject those options. In Toledo, where MetroFi had negotiated an anchor commitment, a change in administration led a new mayor to retreat from the plan.

Is there a future for metro-scale Wi-Fi? Yes. With thoughtfully constructed, outdoor-focused deployments centered on municipal purposes, with public access a secondary issue, it seems like these networks could still provide an inexpensive way for relatively high bandwidth compared to the alternative of cell data networks.

However, that advantage is likely short lived in larger markets. The near-future certainty now that there will be multiple provides offering wired broadband speed service starting later this year with Sprint/Clearwire's WiMax, and continuing through into 2012 with significant network buildout by Verizon and AT&T in several bands (including their new 700 MHz holdings).

While Sprint/Clearwire is talking about 120m to 140m homes passed by 2010 with their network, obviously focusing only on major markets, many of the 700 MHz licenses purchased by AT&T and Verizon carry buildout requirements with penalties. So cities outside the top 100 population markets and rural areas will still see some benefit. In those mid-tier markets, there's also the 3.65 GHz band for shared licensed use, which is a model that Azulstar is pursuing with new WiMax deployments, as I wrote about recently.

Competition will likely push the cost of mobile broadband far below its $60 per month 2-year contract rate of today, which then would beg the question why a city or county with good commercial coverage would need to build its own Wi-Fi network. There are still plenty of reasons to build dedicated, first-responder 4.9 GHz public safety networks, of course.

I've always described Wi-Fi on a metropolitan scale as the best, worst technology. The best, because everyone has Wi-Fi in their laptops and increasingly in handhelds and gadgets. The worst, because the technology is absolutely not designed for the purpose, unlike CDMA and GSM evolved cell standards and mobile WiMax.

It's possible that in the long term, looking five years out, that Wi-Fi on a metro-scale will only be needed in small towns, odd markets, and for highly particular purposes. Or, perhaps in a bit of irony, where companies like Cablevision feel Wi-Fi is necessary to retain the loyalty of their highly wired customer base.

Wee-Fi: In-Depth on Muni-Fi; Portland (Ore.) Update; Ferry-Fi Price Change

Mon, 21 Apr 2008 12:33:57 +0000

John Cox exhaustively examines what works (and doesn't) with municipal Wi-Fi for Network World: This article thoroughly goes over what failed in rolling out city-wide Wi-Fi, and what kinds of networks seem to be playing out successfully so far. There's not enough history with nearly any of the "successful" networks out there, but building networks designed primarily for municipal or public safety purposes seems to produce revenue savings and an increase in specific results. You have to love the lead, too: "Municipal Wi-Fi is dead." Followed by a good summary of how the "classic" flavor is all washed up.

Portland, Ore., considers its options with MetroFi's stalled network: The city of Portland alerted MetroFi in February that it considers the company "in default of contract," according to the (Portland) Oregonian. MetroFi told the paper that his firm won't be finishing the network without "financial support form the city and left open the possibility MetroFi will shut off the entire system." CEO Chuck Haas also seems to have sworn off ad-supported Wi-Fi, something the company switched to years ago, deciding there's truly not enough revenue there to turn a profit. Local group Personal Telco may move into a more leading role, given their steady work while MetroFi fiddled with their business model.

The Oregonian's blog cites some items from the 6 Feb. 2008 letter sent by Portland to MetroFi, noting a lack of ongoing communication and maintenance, as well as a failure to provide information about its advertising partner MSN's privacy practices.

Washington State Ferry Wi-Fi adjusts pricing: Ferry-Fi operator Parsons now offers 2-hour sessions for $3.95, and pre-paid packages of up to 20 sessions for $29.95 (about $1.50 per session). Monthly service remains $30 per month, but Parsons roams with Boingo and iPass at no extra charge.

A breach that hits home with 2008 presidential candidates

Sat, 22 Mar 2008 10:16:50 +0000

Technorati Tag: Security Breach

Date Reported:
3/20/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
U.S. Department of State
Stanley, Inc.
The Analysis Corporation

Victims:
United States passport applicants

Number Affected:
Unknown*

*Prominent political figures such as Barack Obama, Hillary Clinton and John McCain were all affected. It is expected and assumed that there are more affected individuals, but due to the sensational nature of events, the full extent of the breach is not known.

Types of Data:
"It is not clear whether the employees saw anything other than the basic personal data such as name, citizenship, age, Social Security number and place of birth, which is required when a person fills out a passport application."

Breach Description:
"The passport files of all three major presidential candidates were breached by unauthorized searches by four employees, the State Department said yesterday, prompting apologies from Secretary of State Condoleezza Rice, outrage from the candidates and calls by lawmakers for further probes."

Reference URL:
MSNBC News Story
Associated Press Story
Stanley, Inc. Official Company Statement
Statement from The Analysis Corporation

Report Credit:
Associated Press, posted to The Breach Blog through the kind urging of an informed reader

Response:
From the online sources cited above:

State Department employees snooped through the passport files of three presidential candidates — Sens. Barack Obama, Hillary Rodham Clinton and John McCain — and the department's inspector general is investigating.
[Evan] The Inspector General job is still vacant. Would you want this job? If so, you may have to call them. I don't see a job description or a posting on Monster.com.

State Department spokesman Sean McCormack said the violations of McCain and Clinton's passport files were not discovered until Friday, after officials were made aware of the unauthorized access of Obama's records and a separate search was conducted.
[Evan] Are we safe to assume that the unauthorized access to McCain and Clinton's passport files would have gone unnoticed without the discovery of the Obama access?

The incidents raise questions as to whether the information was accessed for political purposes and why two contractors involved in the Obama search were dismissed before investigators had a chance to interview them.

McCormack said one of the individuals who accessed Obama's files also reviewed McCain's file earlier this year. This contract employee has been reprimanded, but not fired. The individual no longer has access to passport records, he said.

"I can assure you that person's going to be at the top of the list of the inspector general when they talk to people, and we are currently reviewing our (disciplinary) options with respect to that person," McCormack said.

Secretary of State Condoleezza Rice spoke with all three candicates on Friday and expressed her regrets.

After speaking with Obama, Rice told reporters: "I told him that I was sorry, and I told him that I myself would be very disturbed."

"None of us wants to have a circumstance in which any American's passport file is looked at in an unauthorized way," said Secretary of State Condoleezza Rice as she offered apologies to the candidates.

The State Department said the Justice Department would be monitoring the probe in case it needs to get involved.

In Clinton's case, an individual last summer accessed her file as part of a training session involving another State Department worker. McCormack said the one-time violation was immediately recognized and the person was admonished.
[Evan] As part of a training session? What the….? Is it common practice to train employees/contractors with live confidential information? Bad.

Obama's records were accessed without permission on three separate occasions — Jan. 9, Feb. 21 and as recently as last week, on March 14.

McCain, who was in Paris on Friday, said any breach of passport privacy deserves an apology and a full investigation.
"The United States of America values everyone's privacy and corrective action should be taken," he said.
[Evan] Yes, especially when it is your own privacy!

Aside from the file, the information could allow critics to dig deeper into the candidates' private lives. While the file includes date and place of birth, address at time of application and the countries the person has traveled to, the most important detail would be their Social Security number, which can be used to pull credit reports and other personal information.

The violations were detected by internal State Department computer checks because certain records, including those of high-profile people, are "flagged" with a computer tag that tips off supervisors when someone tries to view the records without a proper reason.
[Evan] Excellent. It is good practice to log access attempts (successful and not) to confidential information. Of course you need to identify confidential information and classify it first, which is a huge challenge in a vast majority of companies. I think the government does a pretty good job of data classification however.

Former Independent Counsel Joseph diGenova said the firings of the contract employees will make the investigation more difficult because the inspector general can't compel them to talk.
[Evan] We have ways of making you talk! Seriously though. With all the resources at the disposal of the United States government, do you really think that officials won't be able to conduct a thorough investigation? Whether they will or not, or whether any details become public is another story.

Two companies that provide workers for the State Department say they fired or otherwise punished those who improperly accessed the passport records of the three major presidential candidates.

Stanley Inc., based in Arlington, Va., and The Analysis Corp., or TAC, of McLean, Va., said Friday that their employees' actions were unauthorized and not consistent with company policies.

Just this week, Stanley won a five-year, $570 million government contract extension to support passport services.

"When you have not just one but a series of attempts to tap into people's personal records, that's a problem not just for me but for how our government functions," Obama told reporters while campaigning in Portland, Ore. "I expect a full and thorough investigation. It should be done in conjunction with those congressional committees that have oversight function so it's not simply an internal matter."

From the Stanley, Inc. Official Company Statement:
Stanley manages more than 1,800 personnel including subcontractor personnel nationwide on contracts
assisting Department of State and other contract employees with production of over 18 million passports
annually.
[Evan] 18,000,000+ passports annually! We already know that there are trust issues with these four (both Stanley and TAC) contractors, does the potential exist for a breach of 18,000,000 records? Is the risk significant?

Prior to employment, Stanley and its subcontractor candidates undergo several background checks, including security and credit checks. Candidates are also subjected to a Government-sponsored background check. In addition, candidates receive training on the Privacy Act and are required to sign a Privacy Act acknowledgement prior to starting employment. This acknowledgement, among other items, indicates that any employee who knowingly obtains access to information under false pretense is subject to immediate dismissal and both civil and criminal prosecution.
[Evan] Obviously, some people don't care.

While this is a rare occurrence, we regret the unauthorized access of any individual's private information. Two Stanley subcontractor employees were involved in the unauthorized access of Senator Barack Obama’s passport files. In each of these instances the employee was terminated the day the unauthorized search occurred.

At this time we are unaware of the involvement of any Stanley or subcontractor employees in the unauthorized searches of Senator John McCain’s or Senator Hillary Clinton’s passport files.

From the "Statement from The Analysis Corporation":
Late this morning, representatives of the Department of State informed The Analysis Corporation (TAC) for the first time that one of the individuals who had been detected inappropriately accessing passport files of prominent political figures was a TAC employee. The individual was working on contract at the Department of State.

This individual's actions were taken without the knowledge or direction of anyone at TAC and are wholly inconsistent with our professional and ethical standards.
[Evan] Classic attempt by the company to separate themselves from the incident in question. I hope that this is an obvious statement.

TAC has an exemplary record of supporting the Department of State and other elements of the U.S. Government for close to two decades. We are fully cooperating with the Department of State in its investigation. Specifically, we have honored the Department's request to delay taking any administrative action related to the employment of the individual in order to give the Department's Office of the Inspector General the opportunity to conduct its investigation.

We deeply regret that the incident occurred and believe it is an isolated incident.
[Evan] What are the chances of four contractors from two independent contracting companies accessing confidential information while on contract at the same organization? Isolated? Maybe, maybe not.

Commentary:
Well, now information security (and privacy) hits home with some very powerful people. This will almost certainly spur changes. More so than when "commoners" were the ones affected.

I am concerned that these series of reported incidents are part of a bigger problem at the Department of State. It's probably unlikely that someone is going steal Barack Obama's identity (do you think he will get the standard one year of free identity theft protection? [heh]). Employees and the risks involved with their identity and access management are some of the most challenging issues to deal with as an information security professional. Employees need a certain amount of access in order to perform tasks, but how do you detect when an employee decides to use their "legitimate" access for purposes outside of the scope of their duties? You maybe able to detect when they "do" abuse access rights, but how could you detect when they "decide" to?

Past Breaches:
Unknown

Hannaford supermarket chain discloses data breach involving credit, debit cards

Sun, 16 Mar 2008 21:00:00 +0000

Portland, Maine-based supermarket chain Hannaford Brothers Monday disclosed it has suffered a data intrusion into its computer network that has resulted in the theft of customer credit and debit card numbers.

Sign up for a FREE NETWORK RISK ASSESSMENT!	Advertisement
MORE THAN 70% of networks are infected with hidden Malware. Find out if your network is infected now!